Most companies are definitely NOT using Yubikeys. Did you work for Google? Nice man :)
MFA in general had to be forced on companies, and then it is most often in software on a phone.
Here are some rough numbers.
google_workspace:
total_active_users: "3 billion (includes free/consumer Gmail)"
paid_business_customers: "11 million companies (2024)"
paid_customer_growth: "+1 million companies in under 1 year (2023-2024)"
global_business_market_share: "~50%"
fortune_500_presence: "minority share, weaker than Microsoft in enterprise"
mfa_with_yubikeys:
internal_google_employees: "100% use hardware keys (Yubikey/Titan) — since 2017"
fido_u2f_origin: "Google co-created U2F standard with Yubico post-Operation Aurora"
estimated_user_adoption_pct: "~1-3% of all Workspace users (inference, not published)"
concentration: "Highest in finance, government, tech/security-conscious orgs"
typical_majority_mfa_method: "TOTP apps (Google Authenticator) or SMS"
enterprise_passkey_deployment_2025: "87% of US/UK enterprises deploying or have deployed passkeys (FIDO Alliance — includes all hardware key types, not Yubikey-specific)"
microsoft_365:
total_active_users: "~270 million (commercial)"
paid_business_customers_us: "~1 million active US business customers"
us_company_penetration: "~3% of all US companies"
global_business_market_share: "~45%"
fortune_500_presence: "~75% of Fortune 500"
mfa_with_yubikeys:
exact_stat_available: false
note: "Same data gap as Workspace — no published breakdown"
caveats:
- "Google's 3B user figure conflates consumer and business — not comparable to Microsoft's 270M commercial figure"
- "Market share figures vary by methodology (seats vs revenue vs orgs)"
- "Yubikey adoption % is an industry inference; treat as directional only"
- "Passkey != Yubikey — FIDO Alliance 87% figure covers all FIDO2/passkey methods"
I worked for Amazon they used the open source version of chrome os (chromium os). And mini PCs, I think this is the best setup, If I ever have to manage a company I will do this.
Thats assuming their IT department was competent and did the enrollment process correctly. Which, based on them just getting mega hacked, seems unlikely.
> Our core innovation is a radiative cooling material that we’ve combined with a panel system to improve the efficiency of any vapor-compression based cooling system
A heat pump is a “ vapor-compression based cooling system” so that tech is an addition-to not an instead-of.
Whether it’s better probably depends on how expensive the additional efficiency is in practice.
> SkyCool’s Panels save 2x – 3x as much energy as a solar panel generates given the same area.
Unless you work in a pharmacy. Or you’re a ‘mall-cop’. Or literally any employee anywhere who is suspected of fraud or embezzlement or any “incident that resulted in a specific economic loss to the employer”.
You are correct. The Employee Polygraph Protection Act of 1988, which otherwise prohibits the use of putative lie detectors by employees, provides exemptions for such cases.
Unfortunately, that doesn't really prevent companies from doing things being illegal if they turn out to be profitable enough. You could use a multispectral hidden camera and an mmwave radar fed into 'AI' to simulate a lie detector - you can definitely get pulse and breathing rate out of it, probably also perspiration..
Love the idea and hope you are successful. I really think there is a lot of value to be unlocked in sharing/renting tools. In my area we have a tool library which is handy.
Some ideas:
- I would focus a lot of effort on making it incredibly easy and intuitive to list things. This is one of the primary barriers to me when using these types of apps.
- maybe future idea would be to list things from Home Depot or other stores to expand the number of rentals that are available.
Thanks a lot for the feedback—really appreciate it! Totally agree that ease of listing is key. We're actively working on making the process super simple with AI-powered automation, and also improving how people search and discover listings. Love the idea of integrating store rentals too—that's on our radar!
We have one near my place that I'm a member of, it's run by volunteers. They have stuff outside of tools too (camping/cooking gear). You can view the stuff their inventory before you join: https://toolsnthingslibraryperthwa.myturn.com/library/
The main downside for me is returning the items in the window they're open.
Great question! Patio isn't a traditional tool library—it’s a peer-to-peer platform where anyone can list and rent tools directly from people nearby, similar way to Airbnb. So instead of being run by an organization, it’s the community itself that powers it. We're just making it easy, safe, and fast to share tools locally.
I wonder which is more efficient: to manage tools or manage the need. Rather than putting up a yard sign for "I have a hammer, guys", one that says "hey guys, I need a hammer"
Great point — and thanks for sharing it. We’re actually exploring ways to let people post requests, not just listings, so it's easy to say “I need a hammer” and connect with someone nearby. It’s all about making those timely, local connections simple.
I agree, and it's sad to feel the need to say this, but it's so important in this inflammatory era to respond positively to ideas and opinions despite not agreeing 100% or even 80%, because too often the baby is thrown out with the bathwater (especially online)
Ransomware becomes a death sentence to the business if this were to apply, which the US has no appetite for. We even let critical infra out from improving their cybersecurity [1] [2] [3], because it is expensive and hard. The asymmetry of cybersecurity makes effective defense challenging for even the most resourced orgs [4]. You have to win every single day, against social, phishing, auth/identity, and vulnerability attacks throughout the stack. They only need to win once.
(head of infosec, holds tabletop exercises with legal counsel on a cadence as part of ransomware insurance requirements)
Doesn’t the existence of a ransom “out” put a cap on how much money/seriousness a company willingly puts into infosec? Why would a company invest $22M into security if they can just pay criminals when they get owned?
If ransom was off the table, maybe they’d be motivated to actually secure their data? I don’t know—I’m not in infosec. It’s probably not that simple.
Correct. You calibrate your budget to your risk appetite (board/C-level tolerance, industry specific compliance requirements, civil considerations, etc). Every company puts a budget on how much they're willing to spend, as resources are finite. Even the US DoD has a budget, there are limits. We risk accept what we deem within our risk tolerance, or too expensive to derisk.
I think on HN, there is this belief that you can use incentives to force organizations to have perfect security, which does not exist. Employees are human, people make mistakes, budgets constrain staffing as well as control implementations and operations; there are simply limits to what you can do. You can use policy and incentives to encourage good/best behavior, but failures will still occur. The goal is attempts at desired outcomes, measuring those outcomes, and iterating; not 100% success (as that is impossible).
> how much money/seriousness a company willingly puts into infosec? Why would a company invest $22M into security if they can just pay criminals when they get owned?
Because it's not a one-time cost. If attackers know you have weak security and deep pockets they will persist.
“Historical evidence from Colombia and Italy shows that outlawing ransom payment has various adverse consequences.
Where ransom payments are illegal, victims’ families have no state support, while reporting of the kidnapping goes down and understanding of its prevalence is diminished.”
It's a crime in Japan to pay protection money to Yakuza. It seems to be working. They are a shadow of their former selves.
You can mitigate adverse consequences. Punishments for child kidnapping used to be severe, but then abductors would just kill the hostage since they had little more to lose. Today's sentences are next to nothing to encourage surrender.
Or simply make exchanging bitcoin for anything of value illegal. It makes extortion of all kinds too easy, and company data is just the tip of the iceberg.
I was in Italy recently, and saw articles about the epidemic of kidnappings there in the 70s. It won't be long before organised crime figures out how to use crypto to bring back the glory days.
Killing bitcoin would shut down an enormous illegal economy overnight. And stop the crazy electricity consumption at the same time. Maybe you can help me here, but I'm having difficulty thinking of a single real downside.
> shut down an enormous illegal economy overnight.
Despite not owning any Bitcoin, I find it quite comforting to know that there is a currency that exists outside of the purview of a central bank or a government that can devalue or outright take the accruement of my labor on a whim.
Then what's stopping the criminals from going back to good ol' wire fraud like in the 90s and 2000s?
PS. All of the smart ransomware groups are not demanding payments with Bitcoin anymore, they are using another cryptocurrency called Monero. It turns out that Bitcoin is actually traceable by governments via its public ledger, but Monero is a private currency that can't be traced, hence why the IRS posted bounties some time back to encourage people to break Monero's obfuscation.
The only gangs that are still demanding Bitcoin are the less-educated and savvy ones.
The stories I've read about these ransomware companies are wild. They have whole customer service departments to help you easily pay your ransom. They operate like a legit business.
My wire cutter disagreement is their flashlight recommendation. They recommend a AA battery flashlight from Amazon that in my opinion is terrible (https://www.nytimes.com/wirecutter/reviews/best-flashlight/). This article indicates that maybe the referral money is a factor. I wonder how much influence that has.
reply